Diffusion 6.2.2 User Manual

Securing the console

Configuration is required to enable additional security around connections from the Diffusion™ console.

Allow the console to connect only on a specific connector

We strongly recommend that you only allow the console to connect to Diffusion through a single connector. The port this connector
listens on can be blocked from connections from outside of your organization by your load
balancer.

You can configure this in the following way:

In your etc/Connectors.xml configuration file, wherever the line
<web-server>default<web-server> appears in a connector that
receives external connections, replace it with a web server definition that contains
only a client-service definition. For example:

<web-server name="external">
<!-- This section enables HTTP-type clients for this Web Server -->
<client-service name="client" debug="true">
<!-- This parameter is used to re-order out-of-order messages received
over separate HTTP connections opened by client browsers. It is rarely
necessary to set this to more than a few tens of seconds.
If you attempt to set this value to more than one hour, a warning is logged
and a timeout of one hour is used. -->
<message-sequence-timeout>4s</message-sequence-timeout>
<!-- This is used to control access from client web socket to diffusion.
This is a REGEX pattern that will match the origin of the request (.*) matches
anything so all requests are allowed -->
<websocket-origin>.*</websocket-origin>
<!-- This is used to control cross-origin resource sharing client connection to Diffusion
This is a REGEX pattern that will match the origin of the request (.*) matches anything -->
<cors-origin>.*</cors-origin>
<!-- Enable compression for HTTP responses (Client and File). If the response
is bigger than threshold -->
<compression-threshold>256</compression-threshold>
</client-service>
</web-server>

Create a new connector in your etc/Connectors.xml configuration
file that defines a specific port that you use for internal connections to the console.

In this connector, set the value of the web-server element to
default.

In your load balancer, prevent outside traffic from having access to the port
specified in the new connector.

If required, apply additional connection restrictions.

You can use a connection validation policy. For more information, see .

You can set these restrictions in your load balancer.

Disable console features in the configuration (as required)

The actions that a user can perform using the console are controlled by roles and
permissions. The principal that the user uses to log in to the console must have a role with
the permissions required to perform an action in the console.

A principal with the ADMINISTRATOR or OPERATOR role can use all of the functions of the Diffusion console.

To restrict users to using a smaller set of console features, ensure they use a principal
with a more restrictive set of roles and permissions. For more information, see Pre-defined roles.